Loading...
Searching...
No Matches
mont.c File Reference
#include <stdio.h>#include <string.h>#include <assert.h>#include "steps.h"#include "mont.h"#include "../common/fp/mulx/fp.h"#include "poly.h"#include "int64mask.h"
Include dependency graph for mont.c:
Go to the source code of this file.
Functions | |
| void | xA24 (proj *A24, const proj *A) |
| void | xDBLADD (proj *R, proj *S, proj const *P, proj const *Q, proj const *PQ, proj const *A24, int Aaffine) |
| void | xDBL (proj *Q, proj const *P, const proj *A24, int Aaffine) |
| void | xADD (proj *S, proj const *P, proj const *Q, proj const *PQ) |
| void | xMUL_dac (proj *Q, proj const *A24, int Aaffine, proj const *P, int64_t dac, int64_t daclen, int64_t maxdaclen) |
| void | xMUL (proj *Q, proj const *A, int Aaffine, proj const *P, uintbig const *k, int64_t kbits) |
| void | xMUL_vartime (proj *Q, proj const *A, int Aaffine, proj const *P, uintbig const *k) |
| void | xISOG_matryoshka (proj *A, proj *P, int64_t Plen, proj const *K, int64_t k, int64_t klower, int64_t kupper) |
| void | xISOG (proj *A, proj *P, int64_t Plen, proj const *K, int64_t k) |
| void | xISOG_old (proj *A, proj *P, proj const *K, int64_t k) |
Function Documentation
◆ xA24()
◆ xADD()
◆ xDBL()
◆ xDBLADD()
| void xDBLADD | ( | proj * | R, |
| proj * | S, | ||
| proj const * | P, | ||
| proj const * | Q, | ||
| proj const * | PQ, | ||
| proj const * | A24, | ||
| int | Aaffine ) |
Definition at line 49 of file mont.c.
50{
51 fp tmp0, tmp1, tmp2;
52
53 fp_add3(&tmp0, &P->x, &P->z);
54 fp_sub3(&tmp1, &P->x, &P->z);
56 fp_sub3(&tmp2, &Q->x, &Q->z);
57 fp_add3(&S->x, &Q->x, &Q->z);
62 if (Aaffine)
63 fp_quadruple1(&R->z);
64 else
65 fp_mul2(&R->z, &A24->z);
72 fp_sq1(&S->z);
73 fp_sq1(&S->x);
74 fp_mul2(&S->z, &PQ->x);
75 fp_mul2(&S->x, &PQ->z);
76}
◆ xISOG()
Definition at line 789 of file mont.c.
References xISOG_matryoshka.
◆ xISOG_matryoshka()
| void xISOG_matryoshka | ( | proj * | A, |
| proj * | P, | ||
| int64_t | Plen, | ||
| proj const * | K, | ||
| int64_t | k, | ||
| int64_t | klower, | ||
| int64_t | kupper ) |
Definition at line 429 of file mont.c.
430{
431 assert(3 <= klower);
432 assert(klower & 1);
433 assert(kupper & 1);
434
435 int64_t sqrtvelu = 0;
436 int64_t bs = 0;
437 int64_t gs = 0;
438
439 steps(&bs, &gs, klower);
440 if (bs)
441 {
442 sqrtvelu = 1;
443 assert(bs > 0);
444 assert(gs > 0);
445 assert(!(bs & 1));
446 }
447
448 fp tmp0, tmp1, tmp2, tmp3, tmp4;
449
450 proj A24;
452
453 // A -> (A : C)
454 // Aed.z = 2C
456
457 // Aed.x = A + 2C
459
460 // A24.x = A + 2C
462
463 // A24.z = 4C
465
466 // Aed.z = A - 2C
468
470#ifndef NDEBUG
471 int Minit[kupper];
472
473 for (int64_t s = 0; s < kupper; ++s)
474 Minit[s] = 0;
475
476 Minit[1] = 1;
477#endif
478 M[1] = *K;
479 xDBL(&M[2], K, &A24, 0);
480#ifndef NDEBUG
481 Minit[2] = 1;
482#endif
483
484 if (sqrtvelu)
485 {
486 for (int64_t s = 3; s < kupper; ++s)
487 {
488 if (s & 1)
489 {
490 int64_t i = s / 2;
493 {
494 if (s == 3)
495 {
496 assert(Minit[1]);
497 assert(Minit[2]);
498 xADD(&M[s], &M[2], &M[1], &M[1]);
499#ifndef NDEBUG
500 Minit[s] = 1;
501#endif
502 continue;
503 }
504 assert(Minit[s - 2]);
505 assert(Minit[s - 4]);
506 assert(Minit[2]);
507 xADD(&M[s], &M[s - 2], &M[2], &M[s - 4]);
508#ifndef NDEBUG
509 Minit[s] = 1;
510#endif
511 continue;
512 }
513 }
514 else
515 {
516 int64_t i = s / 2 - 1;
519 {
520 if (s == 4)
521 {
522 assert(Minit[2]);
523 xDBL(&M[s], &M[2], &A24, 0);
524#ifndef NDEBUG
525 Minit[s] = 1;
526#endif
527 continue;
528 }
529 assert(Minit[s - 2]);
530 assert(Minit[s - 4]);
531 assert(Minit[2]);
532 xADD(&M[s], &M[s - 2], &M[2], &M[s - 4]);
533#ifndef NDEBUG
534 Minit[s] = 1;
535#endif
536 continue;
537 }
538 }
539
540 if (bs > 0)
541 {
542 if (s == 2 * bs)
543 {
544 assert(Minit[bs - 1]);
545 assert(Minit[bs + 1]);
546 assert(Minit[2]);
547 xADD(&M[s], &M[bs + 1], &M[bs - 1], &M[2]);
548#ifndef NDEBUG
549 Minit[s] = 1;
550#endif
551 continue;
552 }
553 else if (s == 4 * bs)
554 {
555 assert(Minit[2 * bs]);
556 xDBL(&M[s], &M[2 * bs], &A24, 0);
557#ifndef NDEBUG
558 Minit[s] = 1;
559#endif
560 continue;
561 }
562 else if (s == 6 * bs)
563 {
564 assert(Minit[2 * bs]);
565 assert(Minit[4 * bs]);
566 xADD(&M[s], &M[4 * bs], &M[2 * bs], &M[2 * bs]);
567#ifndef NDEBUG
568 Minit[s] = 1;
569#endif
570 continue;
571 }
572 else if (s % (4 * bs) == 2 * bs)
573 {
574 int64_t j = s / (4 * bs);
577 {
578 assert(Minit[s - 4 * bs]);
579 assert(Minit[s - 8 * bs]);
580 assert(Minit[4 * bs]);
581 xADD(&M[s], &M[s - 4 * bs], &M[4 * bs], &M[s - 8 * bs]);
582#ifndef NDEBUG
583 Minit[s] = 1;
584#endif
585 continue;
586 }
587 }
588 }
589 }
590 }
591 else
592 {
594 {
595#ifndef NDEBUG
596 Minit[i] = 1;
597#endif
599 }
600 }
601
602 proj Abatch;
605 int64_t fixPlen = 0;
606 if(Plen>0) {
607 fixPlen = Plen;
608 } else {
609 fixPlen = 1;
610 }
611 proj Qbatch[fixPlen];
612 for (int64_t h = 0; h < Plen; ++h)
613 {
616 }
617 fp Psum[fixPlen], Pdif[fixPlen];
618 for (int64_t h = 0; h < Plen; ++h)
619 {
620 //precomputations
621 // ( X + Z )
623 // ( X - Z )
625 }
626
627 if (sqrtvelu)
628 {
629 int64_t TIlen = 2 * bs + poly_tree1size(bs);
630 fp TI[TIlen];
631
633 {
637 }
638
640
641 fp Aprecomp[gs][8];
642 fp T1[3 * gs];
643 fp Tminus1[3 * gs];
644
646 {
650 }
651 poly_multiprod2_selfreciprocal(T1, gs);
652 poly_multiprod2_selfreciprocal(Tminus1, gs);
653
654 int64_t precompsize = poly_multieval_precomputesize(bs, 2 * gs + 1);
655 fp precomp[precompsize];
657
658 fp v[bs];
659
660 poly_multieval_postcompute(v, bs, (const fp *)T1, 2 * gs + 1, (const fp *)TI, (const fp *)TI + 2 * bs, (const fp *)precomp);
664
665 poly_multieval_postcompute(v, bs, (const fp *)Tminus1, 2 * gs + 1, (const fp *)TI, (const fp *)TI + 2 * bs, (const fp *)precomp);
669
670 for (int64_t h = 0; h < Plen; ++h)
671 {
672 fp Pprecomp[6];
673 biquad_precompute_point(Pprecomp, &P[h]);
674
675 fp TP[3 * gs];
678 poly_multiprod2(TP, gs);
679
680 fp TPinv[2 * gs + 1];
683
684 poly_multieval_postcompute(v, bs, (const fp *)TP, 2 * gs + 1, (const fp *)TI, (const fp *)TI + 2 * bs, (const fp *)precomp);
685 fp_copy(Qbatch[h].z, v[0]);
688
689 poly_multieval_postcompute(v, bs, (const fp *)TPinv, 2 * gs + 1, (const fp *)TI, (const fp *)TI + 2 * bs, (const fp *)precomp);
690 fp_copy(Qbatch[h].x, v[0]);
693 }
694
695 int64_t ignore = (k - 1) / 2 - 2 * bs * gs; /* skip i >= ignore */
697 {
706 for (int64_t h = 0; h < Plen; ++h)
707 {
716 }
717 }
718 }
719 else
720 {
721 // no sqrtvelu
722 int64_t ignore = (k + 1) / 2; /* skip i >= ignore */
723
724 assert(Minit[1]);
729
730 for (int64_t h = 0; h < Plen; ++h)
731 {
736 }
737
739 {
740 int64_t want = -((i - ignore) >> 61);
741 // 2 < i < (k-1)/2
749 for (int64_t h = 0; h < Plen; ++h)
750 {
751 // point evaluation
760 }
761 }
762 }
763
764 for (int64_t h = 0; h < Plen; ++h)
765 {
766 // point evaluation
767 // [∏( X − Z )( X i + Z i ) + ( X + Z )( X i − Z i )]^2
768 fp_sq1(&Qbatch[h].x);
769 fp_sq1(&Qbatch[h].z);
770
771 // X' = X * Qbatch[h].x
772 // X' = X * [∏( X − Z )( X i + Z i ) + ( X + Z )( X i − Z i )]^2
775 }
776
777 // Aed.x = Aed.x^k * Abatch.z^8
779 // Aed.z = Aed.z^k * Abatch.x^8
781
782 //compute Montgomery params
783 // ( A' : C' ) = ( 2 ( a'_E + d'_E ) : a'_E − d'_E )
786 fp_double1(&A->x);
787}
assert(var1 eq var2)
References assert(), fp_1, fp_copy, i, j, poly_multieval_postcompute, poly_multieval_precompute, poly_multieval_precomputesize, poly_multiprod2, poly_multiprod2_selfreciprocal, poly_tree1, poly_tree1size, steps, proj::x, xADD, xDBL, and proj::z.
Here is the call graph for this function:
◆ xISOG_old()
Definition at line 794 of file mont.c.
795{
796 assert(k >= 3);
797 assert(k % 2 == 1);
798
799 fp tmp0, tmp1, tmp2, Psum, Pdif;
800 proj Q, Aed, prod;
801
802 fp_add3(&Aed.z, (const fp *)&A->z, (const fp *)&A->z); //compute twisted Edwards curve coefficients
805
808
809 fp_sub3(&prod.x, &K->x, &K->z);
810 fp_add3(&prod.z, &K->x, &K->z);
811
816
817 proj M[k];
818 proj A24;
819 xA24(&A24, A);
820
821 M[0] = *K;
822 xDBL(&M[1], K, &A24, 0);
824 {
826 }
827
829 {
840 }
841
842 // point evaluation
843 fp_sq1(&Q.x);
844 fp_sq1(&Q.z);
847
848 //compute Aed.x^k, Aed.z^k
850
851 //compute prod.x^8, prod.z^8
852 fp_sq1(&prod.x);
853 fp_sq1(&prod.x);
854 fp_sq1(&prod.x);
855 fp_sq1(&prod.z);
856 fp_sq1(&prod.z);
857 fp_sq1(&prod.z);
858
859 //compute image curve parameters
862
863 //compute Montgomery params
867}
References assert(), i, proj::x, xA24, xADD, xDBL, and proj::z.
Here is the call graph for this function:
◆ xMUL()
| void xMUL | ( | proj * | Q, |
| proj const * | A, | ||
| int | Aaffine, | ||
| proj const * | P, | ||
| uintbig const * | k, | ||
| int64_t | kbits ) |
Definition at line 156 of file mont.c.
157{
158 proj R = *P;
159 proj A24;
161
164
165 xA24(&A24, A);
166
167 int64_t prevbit = 0;
168 while (kbits > 0)
169 {
170 --kbits;
171
172 int64_t bit = uintbig_bit(k, kbits);
173 int64_t bitxor = bit ^ prevbit;
174
175 proj_cswap(Q, &R, bitxor);
176
177 xDBLADD(Q, &R, Q, &R, &Pcopy, &A24, Aaffine);
178
179 prevbit = bit;
180 }
181 proj_cswap(Q, &R, prevbit);
182}
References fp_0, fp_1, fp_copy, uintbig_bit, proj::x, xA24, xDBLADD, and proj::z.
◆ xMUL_dac()
| void xMUL_dac | ( | proj * | Q, |
| proj const * | A24, | ||
| int | Aaffine, | ||
| proj const * | P, | ||
| int64_t | dac, | ||
| int64_t | daclen, | ||
| int64_t | maxdaclen ) |
Definition at line 110 of file mont.c.
111{
113 proj P1 = Pinput;
114 proj P2;
115 xDBL(&P2, &P1, A24, Aaffine);
116 proj P3;
117 xADD(&P3, &P2, &P1, &P1);
118 // int64_t collision = fp_iszero(&Pinput.z);
119 int64_t collision = fp_iszero(Pinput.z);
120
121 for (;;)
122 {
123 int64_t want = 1 + int64mask_negative(daclen);
124 proj_cmov(Q, &P3, want);
125 if (maxdaclen <= 0)
126 break;
127
128 // invariant: P1+P2 = P3
129 // odd dac: want to replace P1,P2,P3 with P1,P3,P1+P3
130 // even dac: want to replace P1,P2,P3 with P2,P3,P2+P3
131
132 proj_cswap(&P1, &P2, 1 - (dac & 1));
133 // invariant: P1+P2 = P3
134 // all cases: want to replace P1,P2,P3 with P1,P3,P1+P3
135
136 // collision |= want&fp_iszero(&P2.z);
137 collision |= want & fp_iszero(P2.z);
138
139 proj next;
140 xADD(&next, &P3, &P1, &P2);
141 P2 = P3;
142 P3 = next;
143
144 maxdaclen -= 1;
145 daclen -= 1;
146 dac >>= 1;
147 }
148
149 proj_cmov(Q, &Pinput, collision);
150 // in case of collision, input has the right order
151}
